Source code opens window to old IE flaw

By Robert Lemos
Posted on ZDNet News: Feb 18, 2004 1:17:00 AM

Security researchers' perusal of Windows 2000 and NT 4 software code has uncovered a vulnerability in an older version of Internet Explorer.

The vulnerability, which affects only Internet Explorer 5.01, could allow attackers to set up faux Web servers or send malicious e-mails that would compromise people's PCs when they click on a URL (uniform resource locator), security researchers revealed last weekend. Microsoft confirmed the issue and said it's investigating the problem.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"It doesn't affect (the latest version of) IE6," said Mike Reavey, security program manager for Microsoft. "It does look like it was one of the things that was found during the code review."

The discovery of the vulnerability confirms that the Windows source code that was leaked last week can be used to find flaws in Microsoft's software. File traders and security researchers spread two 200MB files containing the code across the Internet, and it's unlikely that Microsoft will be able to curtail the effects of the leaked code.

"On the good side, all of the (leaked) software is from before Microsoft started the Trustworthy Computing Initiative--it's old code," said Thor Larholm, senior security researcher at software firm PivX Solutions. "On the bad side, this definitely shows that there is potential for some critical vulnerabilities to be found because of the leak."

Larholm also pointed out that a lot of the leaked code, which is at least 2 years old, has been included in the latest version of Microsoft's operating system.

A security researcher, who only identified himself by the initials "gta," posted information on the vulnerability to several security mailing lists. Less than 10 percent of Internet users browse with the vulnerable Internet Explorer, according to data from Web analytics firm WebSideStory.

Microsoft fixed the issue in later versions of Internet Explorer without telling consumers, a practice known in security circles as the "silent fix." Patching is always good, but the company should make sure that it informs the end users, said Chris Wysopal, vice president for research and development at digital security firm @Stake.

"I just wonder how it was communicated to end users that they should upgrade," he said.

Wysopal sees a positive side to the discovery, however. The vulnerability's limited effect should be a testament to Microsoft's Trustworthy Computing Initiative, he said.

"The big issue (for the initiative) is whether Microsoft has been able to find vulnerabilities in its code base," he said. "Now, we have an example of at least one (issue) that they have been able to fix."